United States Patent [19] 

Thorne et al. 



[54] ELECTRONIC MAIL SECURITY 

[75J Inventors: John Thome, Washington, D.C.; Marie 
L. Davis, Germanlown; Michael J. 
Strauss, Potomac, both of Md. 

[73] Assignee: Bell Atlantic Network Services, Inc., 
Arlington, Va. 

[21] Appl. No.: 08/895,745 
[22] Filed: Jul. 17, 1997 

[51] Int. CI. 6 G06F 17/30 

[52] U.S. CI 709/202; 709/203; 709/206; 

709/207; 709/277; 709/303; 707/9; 707/10; 

380/4; 380/25; 380/51 

[58] Field of Search 709/202, 206, 

709/207, 227, 303, 203; 707/9, 10; 380/4, 

25, 51 

[56] References Cited 

U.S. PATENT DOCUMENTS 

4,881,179 11/1989 Vincent 395/113 

4,899,299 2/1990 MacPhail . 

4,935,954 6/1990 Thompson et al. . 

5,014,234 5/1991 Edwards, Jr. . 

5,051,891 9/1991 MacPhail . 

5,109,508 4/1992 Mitsumori et al. . 

5,123,104 6/1992 Levine et al. . 

5,170,479 12/1992 Talcamoro . 

5,327,555 7/1994 Anderson . 

5,388,256 2/1995 Herbert. 

5,406,557 4/1995 Baudoin 95/200.36 

5,412,717 5/1995 Fischer 380/4 

5,504,897 4/1996 Gans et al. . 



urn iiiiiisi iii mil mil urn iuie iiiii iim iiqi mn iuiii m hid iiii 

USG05958005A 



[ii] Patent Number: 5,958,005 
[45] Date of Patent: Sep. 28, 1999 



5,568,540 10/1996 Greco et al. . 

5,598,279 1/1997 Ishii et al 358/402 

5,600,834 2/1997 Howard. 

5,625,818 4/1997 Zarmer et al. . 

5,633,932 5/1997 Davis et al 380/25 

5,717,742 2/1998 Hyde-Thomson 379/88 

5,765,152 6/1998 Erickson 707/9 

5,786,817 7/1998 Sakano et al 345/339 

5,812,669 9/1998 Jenkins et al 380/25 

5,822,527 10/1998 Post 395/200.36 

5,826,269 10/1998 Hussey 709/206 

5,838,685 11/1998 Hochman 370/428 

5,864,683 1/1999 Boebert el al 395/200.79 



Primary Examiner— Frank J. Asta 

Assistant Examiner — William D. Thomson 

Attorney, Agent, or Firm— McDermott, Will & Emery 

[57] ABSTRACT 

A method, system, and product for communicating data text 
messages, such as E-Mail, between computers connected to 
a network while providing selectable degrees of security for 
each message. The methodology comprises the procedure of 
creating in the originating computer a data message having 
a header which specifies, in addition to the address of the 
intended recipient computer, one or more security param- 
eters which control the processing of the data message in the 
recipient computer. The security parameters include instruc- 
tions for erasure of the data message following its storage in 
the recipient computer. The security parameters also include 
instructions as to whether or not copying, archiving, for- 
warding and printing of the data message is permitted. The 
recipient computer processes t he d ata^message-in^acconi 
withjthe instructions! The erasure is of such a nature as to 
^rendeMh^ata~message in^trievable following erasure. T 

54 Claims, 6 Drawing Sheets 
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ELECTRONIC MAIL SECURITY does not allow copying of such a "Private" message from 

one mail box to another. 

FIELD OF THE INVENTION U.S. Pat. No. 4,935,954 to Thompson et al., entitled 

This invention relates in general to methods and systems Automated Message Retrieval System, issued Jun. 19 1990, 

for managing the security of electronic documents stored in 5 d f lose * an retrieval system. A com- 

an interactive information handling system, and more par- P u cr . automateally performs various procedures, .Deluding 

ticularly relates to the controlling of the confident of £SS £j£ ^ f ™ » the 

electronic mail communications over networks. nen. xr cma^a* j i j o . 

U.S. Pat. No. 5,014,234 to Edwards, Jr., entitled System 

BACKGROUND 10 With Software Usage Timer and Counter for Allowing 

Limited Use but Preventing Continued Unauthorized Use of 

In recent years business communications have relied Protected Software, issued May 7, 1991, pertains to preven- 

increasingly on exchanges of electronic or E-Mail via desk lion of cont i nue d unauthorized use of protected software. 

top or portable computers. Generally speaking E-Mail con- Copies of ^f^K are installed for a limited time. If the 

stitutes a store and forward service for transmission of ^ software is not registered within the time limit, the software 

textual messages transmitted in machine readable form from ^ disabled. The system provides a notice indicating an 

a computer terminal or computer system. The message sent Spending software "Self-Destruct" in the event of failure to 

from one computer user to another is stored in the recipient's register 

mailbox or post office until that person next logs onto the v s pat No 5>600j83 4 t0 Howard> entitled Method and 

system. The system can then provide for retrieval and ^ Apparatus for Reconciling Different Versions of a File, 

delivery ot the message. issued Feb ^ 1997> deals with reC onciling different versions 

While this form of communication is now in widespread 0 f the fii es stored j n computers at two or more separate 

use, employees and business people in general have been locations or sites. Howard utilizes journals or logs of work 

prone to employ less than adequate procedures to protect the performed on each file. 

confidentiality of many business communications. While 25 Numerous E . Mail applications or programs are currently 

most business people recognize that a written document available commercially. Many of these applications come 

provides a relatively permanent record, they mistakenly from personal software compa aies. Examples 

assume that an E-Mail message does not. In fact, most i nc i ude Word Perfect Office, Lotus Notes, CCmail, 

E-Mail messages today are readily copied, printed or Microsofl Mailf etc . Irj the computer conferencing area a 

forwarded, without the sender s knowledge or control. Also, 3Q number of systems have become available. These include 

techniques exist for finding and capturing old E-Mail mes- Notes E1ES % VlTS{ clasSj and Su perKOM. The 

sages that may be stored or once were stored on disk drives available systemSj fof the most ^ provide deletioQ of 

in any one of a large number of networked computers or mesS ages only upon positive action of the recipient or upon 

servers. As a result of these factors, it currendy is very me vohime of stored data reaching some predetermined 

difficult for a business to ensure that there are no E-Mail 35 threshold. However, SuperKOM has a provision for deleung 

messages contaimng confidential materials or inappropriate meS sages after a certain time unless the user has taken 

comments, which later might be discovered and retrievable pos i t i ve steps to so mark the messages as to prevent deletion, 

by other parties. SuperKOM has both a personal data base for each user and 

While the patent literature contains certain discussions of a common data base for all users connected to the same 

aspects of electronic document management, it fails to 40 server. Users of SuperKOM can use search keys on mes- 

address the particular problem outlined hereinabove. sa ges in the central data base. Such keys are one way of 

U.S. Pat. Nos. 4,899,299 and 5,051,891 to MacPhail, stopping messages from being deleted. It is also possible to 

respectively entitled Method for Managing The Retention of protect messages from being purged in the personal data 

Electronic Documents in an Interactive Information Han- base of an individual SuperKOM user, 

dling System, and Method to Manage Transfer of Ownership 45 However, these capabilities fall far short of satisfying 

of Electronic Documents Stored in an Interactive Informa- business needs for managing and protecting the confidenti- 

tion Handling System, issued Feb. 6, 1990 and Sep. 24, ality of electronic mail communications. Those needs 

1991, discuss document retention and deletion methodology. include capabilities to control not only the circulation of 

Although there is no express mention of E-Mail, the text messages or electronic documents by the originator, but also 

suggests that the documents range from memos and mes- 50 the usage of the documents by the recipient for further 

sages to long reports. The originator of a document specifies dissemination and storage. Thus there is an existing need to 

an ownership expiration date, and the enterprise operating provide to an E-Mail originator or sender the capability to 

the system establishes an expiration date. An algorithm control the ability of the recipient to copy, forward, print, 

causes deletion of a document from storage when a partial- and store the document. Still further, there is a need for an 

lar relationship exists among the current date and the two 55 erasure procedure that goes beyond deletion and precludes 

expiration dates. For example, the system deletes a message recovery. 

if the current date is later than both of the expiration dates. a ™, ™ ™^ TK „ , ntrT , n4T 

itco»kt cc*ocm. n . 1 **♦! a \a *u a SUMMARY OF THE INVENTION 
U.S. Pat. No. 5,568,540 to Greco et al., entitled Method 

and Apparatus for Selecting and Playing a Voice Mail It is a primary object of the invention to provide a method 

Message, issued Oct. 22, 1996, deals with displaying voice 60 and system for satisfying the above described needs. 

mail message information and playing voice mail through a It is a further object of the invention to satisfy those needs 

computer speaker. The disclosed system may provide a in an effective yet user friendly and readily administered 

display of messages that can be merged into a single list, fashion. 

including E-Mail messages. As an additional feature, this One example of the conventional processing of E-Mail in 

patent suggests that if a sender does not want the recipient 65 a typical corporate local area network or LAN is prelimi- 

to copy the message for further distribution to others, the narily described to provide a context for a discussion of the 

sender may designate the message as "Private." The system methodology of the invention. 
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In this example of a corporate or business network, each It is a primary object of the invention to provide a method 

department of the business is provided with its own server. for managing the retention of preselected data in a manner 

Each such server is a host to a multiplicity of work stations to effectuate the desired degree of security for designated 

or client computers in that department. Each server and each information. 

server client runs the same E-Mail application and each 5 \ x another object of the invention to provide a meth- 

server provides a departmental post office which is subdi- odology for achieving this goal in a straight forward, user- 

vided into a plurality of work group or client post offices. friendly manner. 

The work group post offices serve the individual work with {h ' foregoing cnds m view> lhe invention finds 
stations or client computers in that work group. The term embodimen t in certain combinations of elements, system 
post office is here used to mdicate a collection of mail boxes 10 archit ectures, methodologies, and series of steps by which 
which reside on the respective server. the objects aforem entioned and certain other objects are 
In sending an E-Mail message in this architecture hereinafter attained, all as more fully described with refer- 
arrangement, an employee at a work station or client com- ence to the accompanying drawings and the scope of which 
puter composes a message on that computer. This results in j s mQ re particularly pointed out and indicated in the 
the creation of a copy of that message on the hard drive of 15 appended claims, 
the composing employee's computer. The computer is con- 
nected to the host server and the server also has a copy of the BRIEF DESCRIPTION OF DRAWINGS 

message in its memory Tie server includes a mail exchange diagrammatic illustration of the architecture of 

agent which acts as a store and forward node » (transport of £ ag Network 

the message either to another work sUtion within the same * ^ ^ be ^ 

department or to another department. Here it is assumed tha ^ ^ embodiment. 

the single server acts to deliver the message to a recipient 6 r 

client computer in the same department. * FIG - 2 » a diagrammatic illustration of a typical work 

j ,1 • 4*i c tU • ♦ station, computer, or PC used in the network of FIG. 1 

In this typical scenano a copy of the message now exists lL t • • « • , 

on a disk at each of the five different agents. These include 25 Crating *c functionality which is provided. 

(1) the hard drive of the composing employee, (2) a first FIG - 3 * a simplified flow chart showing the operation of 

position of a post office disk of the server (sender mail box), composing and sending an E-Mail message 

(3) a second position of a disk serving as the exchange agent FIG. 4 is a diagrammatic illustration of a typical E-Mail 

of the server, (4) a third position in the post office disk of the header which may be used according to one preferred 

server (recipient mail box), and (5) the hard drive of the 30 embodiment of the invention. 

recipient or addressee computer. If the message goes to FIGS. 5A-5B are a simplified flow chart showing the 

another department it will pass through at least one addi- processing of a received E-Mail message according to the 

tional server, and there will be even further instances of invention, 
storage of the message. 

With respect to the duration of retention of the message, 35 DESCm ™^^^ EKKW 
the second, third, and fourth instances of storage of the LMBODIMhNl 
message, namely, those under control of the server, are Referring to FIG. 1 there is shown a typical local area 
deleted in a routine maintenance cycle pursuant to prede- network or LAN 110 which may serve a business sufficiently 
termined tables. The deletion of the first and fifth instances large to need a pair of servers. Although shown as a single 
of storage of the message, namely at the computers of the LAN configuration, the invention is equally applicable to 
originator and recipient, are under control of the originator other communications networks including the PSTN, 
and recipient. If the recipient copies, archives or forwards Internet, cellular and paging networks, individually and in 
the message, additional instances of storage are created. Still combination. The servers 112 and 114 are shown serving 
further, the recipient may print the message and thereby 45 different areas of the network, such as, by way of example, 
create a hard copy susceptible to unlimited copying. different departments of the company. Two such depart- 
In conventional practice the erasure of records normally ments are indicated as Department A and Department B 
constitutes deletion. However, when files are deleted the divided by the broken line 116. Each server has an operating 
data is not physically removed from the disk. Typically, system or OS running the same E-Mail application. Each 
some or all of the characters constituting the file name or 50 server also has a storage that functions as a post office and 
address are altered with a special character or erased from sub-post offices for the computers which it serves. These 
the internal file allocation address table. This has the effect storages are indicated at 113 and 115 in FIG. 1. The server 
of rendering the disk space occupied by the file available for 112 and its post office 113 generally serve the client corn- 
reuse, i.e., the file is marked for deletion. Until the space is puters in Department A, while the server 114 and its post 
reused it is possible to "undelete" and recover the file data. 55 office 115 generally serve the client computers in Depart- 
Further, techniques are available which make possible the ment B. 

recovery of data even after the disk space has been reused, Functionally, the network operates to allow each terminal 

depending upon the extent of reuse. to communicate with the servers and to one or more other 

Compacting of data to recover disk space is a process terminals using established communication protocols, so 

which normally involves a single overwrite operation of 60 that the various communication links are transparent to the 

data. Such a single overwrite normally will not prevent users. 

recovery of the overwritten data. The National Security FIG. 2 is a block diagram of the functional components of 

Agency (NSA) specification for data erasures require that a typical computer 118. The computer 118 is a typical 

the file be written over seven times using an alternating byte workstation or personal computer (PC), although other 

write sequence of: 00, FF, 00, FF, 00, FF, F6. Normal 65 computer platforms may be used, including laptop and 

commercially available Disk Clean Up erasures simply write palmtop portable computers and dedicated platforms such as 

the F6 character to deleted files. Web-TV. 
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The main processing element of the PC or workstation 
computer 118 is a programmable central processing unit 
(CPU). In the illustrated example, the CPU is a micropro- 
cessor 239. The control code for certain basic functions of 
the microprocessor is stored in a read only memory (ROM) 5 
241. The PC or workstation computer 118 also includes one 
or more working memories, such as the dynamic random 
access memory (DRAM) 243, cache memory (not shown), 
and the like. Tlie microprocessor runs programs loaded into 
the DRAM 243 from other storage devices. 

To store programs, the computer 118 includes a number of 
different bulk storage systems. In the illustrated example, the 
computer includes a hard disk drive 245 and one or more 
floppy disk drives 247, and may include other storage media 
249, such as a CD ROM drive, a digital tape drive or the like. ^ 

An internal bus system 244 provides two way data 
communications between the various elements of the com- 
puter. In particular, the microprocessor 239 receives digital 
signals from and sends a variety of digital signals to the 
other computer components via the bus 244. The computer 2Q 
typically connects through a display driver 231 to a display 
233, such as a color cathode ray tube (CRT) type monitor. A 
user operates a keyboard 235 or another type of input device 
237, such as a mouse, trackball or joystick, to input various 
information to the computer. The input devices 235, 237 25 
connect to the computer through appropriate input ports, 
represented by the block 238 in the drawing. 

The operating system program allows the microprocessor 
239 to respond to signals from the input devices 235, 237 
and produce signals through the driver to 231, to effectuate 30 
a desired user interface. For example, a computer running a 
Windows type operating system provides a graphical user 
interface, for the operating system functions as well as for 
applications running on the operating system. The operating 
system also enables the microprocessor to execute various 35 
other application programs. 

The computer includes one or more systems enabling 
communication with other data systems. In the illustrated 
example, the computer includes one or more high speed 
printer ports 251 coupled to the bus 244. The computer also 40 
includes one or more data interfaces 253 and 255, to enable 
communications with data devices either via direct 
connections, such as parallel ports, or, via bus interface 255, 
with a local area network (LAN) interface which enables 
communication with networked data devices. 45 

The PC or workstation computer 118 may also include a 
modem 254 (or other communication interface) coupled to 
the bus 244. The modem 254 provides a two-way data 
communication coupling to a telephone line or other com- 
munication network link. The modem 254 sends and 50 
receives electrical, electromagnetic or optical signals which 
carry digital data streams representing various types of 
information in the format appropriate to the particular link. 

The network link typically provides data communication 
through one or more networks to other data devices. For 55 
example, the link may provide a connection through the 
local telephone network to a host computer or to data 
equipment operated by an Internet Service Provider (ISP). 
The ISP equipment in turn provides data communication 
services through the world wide packet data communication 60 
network now commonly referred to as the 'Internet'. The 
local telephone network and the Internet both use electrical, 
electromagnetic or optical signals which carry digital data 
streams. The signals through the various networks and the 
signals on the link and through the modem 254 which carry 65 
the digital data to and from the computer are exemplary 
forms of 'carrier waves' transporting the information. 



6 

The computer 118 can send messages and receive data, 
including program code, through the networks), the net- 
work link and the modem 254. In the Internet example, a 
server might transmit requested code for an application 
program or upgrade through the Internet, the equipment of 
the ISP, the local telephone network and the communication 
interface. In accord with the invention, one of the down- 
loaded applications might include an E-Mail application. 

The computer can receive a new application via the 
modem 254, bus interface 255, or data interface 253, or via 
an insertable storage media, such as a floppy in drive 247 or 
a tape or CD in another drive 249. When a new program is 
loaded, the microprocessor loads the received code from the 
drive 247, 249 or the modem 254, bus interface 255, or data 
interface 253, typically onto the hard disk storage 245. In 
this manner, the computer 23 may obtain application code in 
the form of a carrier wave, or the computer may obtain 
application code as data stored on a floppy disc, a compact 
disc or other transportable media. If the code represents an 
application program, the microprocessor 239 later loads the 
code into random access memory 243 for execution. 

Thus the program software, including E-Mail 
applications, may reside at different times on a variety of 
media, including the various memories, disk drives and 
other storage media. The computer platform also may 
receive software in the form of carrier wave signals bearing 
digital code, via various communication ports and 
interfaces, such as the data interfaces) 253, 255 and the 
modem 254. 

The operation of the LAN 110 in the handling of E-Mail 
according to one preferred embodiment of the invention is 
now described. All processor agents, including all servers 
and client computers, are provided with and run an E-Mail 
application which provides the following functions: 

1. Designation of secure files as such. 

2. File forwarding enablement or disablement. 

3. Copying enablement or disablement. 

4. Printing enablement or disablement. 

5. Specification of number of prints enabled. 

6. Archiving enablement or disablement. 

7. Specification of number of readings enabled. 

8. Specification of erase date. 

9. Specification of display time. 

The E-Mail application will present a user who enters into 
an originating computer a "Compose E-Mail command", 
i.e., a template for specifying the security parameters which 
the message originator desires. According to a preferred 
embodiment of the invention the user is presented with a 
template including the following entry fields: 

1. Designate document "Secure" — "Yes/No." 

2. Designate security classification ---"Secret/ 
Confidential/Restricted." 

3. File forwarding "Enable" "Disable." 

4. Copy "Enable" "Disable." 

5. Print "Enable" "Disable." 

6. Number of copies "_. — " 

7. Archive "Enable" "Disable." 

8. Display " " times. 

9. Automatically Erase " " days from today's date. 

10. Erase Date " / / " 

11. Send Only to Another Secure System "Yes" "No". 

12. Warn If Addressee System Not Secure "Yes" "No". 
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The entry fields in the template would be typically popu- to allow copying is entered at step 314 by selecting "Enable" 

lated with default settings that would be provided according or "Disable." At step 316 the print permission is either 

to a setup file of the user. Thus, the user need only indicate selected or not. If the user chooses to enable printing the 

changes to the normal security settings when preparing an number of copies field is activated and the user enters the 

E-Mail message. 5 number of copies at 318. At step 320 the user elects to permit 

The operation of composing and sending a message is 0 r not permit archiving. At step 322 the user may enter the 

illustrated in flow chart form in FIG. 3. Referring to that number of times that the recipient will be allowed to display 

figure, entry into the E-Mail program is shown at 300. At lhe messa g e . Optionally the application may also allow the 

302 the user inputs the command to open the E-Mail sender of the meS sagejo choose the duration of display (not 

"Compose" graphical interface. Upon opening the compose 1Q shown y £^323 or~324 the user "may enter thl erasuredaTe. V 

graphical interface, the user is presented with a template Entry 0 f k specific number of days in step 323 wiU cause the 7 
containing the above described fields to be completed. As Ucation t0 { the date at st 324 or vice . verS a. 

stated, the fields of the template typically appear with the ™ r r ' , . . . , , 

default values so that the user may elect to retain all such As previously described this option may be circumscribed 

values. Alternatively the user may change one or more of b Y the class of security which the sender has chosen. Thus, 

these responses 15 in the case of the twenty-four hour life limit above described 

At 304 the user may select "Yes" or "No" in response to for a "Secret'* classification, the date would be automatically 

the inquiry as to whether or not it is desired to designate the "Jf * thls ? ate field b * th u e application. At step 

message as a secure document. In this illustration it is 325 the user elec * <° f nd the message only to a secure 

assumed that the user enters "Yes" by keyboard or mouse „ n system. At step 326 the user du-ects that a warning be 

entry or that "Yes" is designated by default. 20 P rovided ,f the addressee system is not secure. 

At steps 306, 308, and 310 the user selects the class of Having completed the above fields in the template the 

security which it is desired to impose. This selection may "Compose Message" button is actuated at 327. A blank 

control the maximum duration of life which the user is able message screen is then presented to the user and the message 

to attach to the document. For example, selection of a _ s may be entered. When the user is satisfied with the message 

"Secret" classification may be programmed to limit the the "Send" button may be clicked or keyed at 328. The 

erasure date to a maximum of twenty-four hours. This will message is thereupon dispatched on the network, 
be reflected by the graphical interface by automatic entry of The E-Mail application in use according to the invention 

the erase date, which otherwise may be optional when step responds to the setting of the fields of the template by 

324 is reached. If the user were to select the "Restricted" 3Q causing the packet assembler to insert into the message 

classification, which is the lowest secure classification, then packet header flags to cause each recipient computer or 

the maximum life of the document may be a week, by way processor to respond to the commands created by comple- 

of example. tion of the template. An exemplary header of that type is 

The selection of a security classification also ensures that illustrated in FIG. 4. The E-Mail application running on 

the document will not only be erased or deleted but will be 35 computers connected to the network is also programmed to 

purged from the disk in a manner to prevent its subsequent respond to a default flag to set maximum security. Such a 

retrieval. For example, the file or the entire deleted portion default flag may be set in the situation where the sender of 

of a disk may be subjected to a cleaning or purging accord- a message designates the message as a secure message but 

ing to NSA specifications. This disk cleaning or purging in fails to complete the remainder of the template and select a 

response to detecting a security designation is in addition to ^ specific classification designation. A preferable option is to 

any routine disk clean up or purge which the network may compel the user to insert a choice as to classification in order 

otherwise conduct as a matter of _ course. to proceed with sending of the message as a secure message. 

r~Upon the recording of an E-Mail document by anyjy It has been previously stated that, according to one 

^processor in the network which is using an E-Mail applica- ^ embodiment of the invention, all computers connected to the 

^fion pursuant to the invention, the processor recognizes the - 45 network and within the network are running the same 

"security designation. Each-security designation is assigned a : 'J E-Mail application. In one preferred embodiment of the 

^ maximum life for the message or document to which it isJ_ invention all client computers of all servers in the network 

^ applied. XJpon .recognizing the security designation the are capable of using E-Mail only by operating off of the 
"recording processor derives from a stored table" the'life to be /server E-Mail application, i.e., it is mandated that the client 

[ assigned to that particular document and calculates the date 50 E-Mail software has to run from the server. No client 

\ by which that document should be purged. AJpon the arrival^ computer resident E-Mail applications will operate with the 

of thafdate ^ the^proce.ssor schedules the disk on which the system. This feature protects against computer operators or 

^message was recorded for a complete purging of that file and users installing in their computers application upgrades 

all deleted files on that disk at the preselected low traffic time which have not been installed in the server applications. In 

of day at which disk purges are to be conducted. 55 many instances the installation of such an upgrade in one 

With respect to client computers which may not be on computer and not the other leads to unpredictable problems 

continuously, the application will initiate an algorithm and could have the potential capability of defeating the 

which causes the computer to run the purge routine as a security procedures. 

preliminary to shut down. Thus the affixation of the security According to an alternate embodiment, server software is 
designation assures that the message will be purged irre- 60 verified by the E-Mail system as compatible with the 
trievably after passage of the predetermined time period. In requested security features prior to transmission of a mes- 
the case of client computers which periodically go into a sage. If the servers are compatible, e.g., employ an auto- 
sleep mode, the purge may be accomplished immediately matic delete capability, then the message is transmitted. In 
prior to shutting down the disk as a function of going into a the absence of such confirmation message indicating server 
sleep mode. 65 E-Mail security functional capabilities, the user is warned 
At step 312 the user elects to either permit or prohibit and given the option to override and have the message sent 
forwarding of the message. The election as to whether or not (or not). 
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It is a further feature of the security system of the At 522 the system ascertains whether forwarding has been 
invention that all server disks and the disks of all computers enabled. If forwarding has not been enabled, the message 
that are connected to the network and running are subjected forwarding function is deactivated and the message forward- 
to a complete disk clean-up at a low traffic time at least once ing icon is dimmed or grayed out or not highlighted, 
each twenty four hours. By way of example, such a disk 5 Message forwarding is inhibited. This is shown at 524. 
clean-up may be routinely carried out each morning at 2:00 M $26 tfae system whether copying ^ enabled . 

™1* , , . , . If not, all possible copying methods are disabled. This would 

IT* deleting of a file merely removes the files directory cm mA afld send save 

entry. But the data itself remains on the disk Disk CleanUp ^ fe $ho ^ ^ 

is a small utility designed to clear previously deleted files. in A „ L . . . L1 _ 

Disk CleanUp completely eliminates the contents of deleted 10 At 530 *" s y stem ascertains whether pnnt once has been 

files. The clean up will not delete files from a disk, but rather specified. If it has been specified, the system counts the first 

cleans up the empty space on the disk by creating a tempo- printing cycle at 532. If one print cycle is detected, printing 

rary file named "CleanUp" on the drive being cleaned. The is disabled at 534. If a print cycle has not occurred and is not 

file is written to and expanded until the entire drive has been detected at 532, then the print icon is replaced with a print 

cleared. When disk clean up is complete the temporary file 15 once icon, and any applicable menu box is modified to 

is automatically removed. In effect the file constitutes a indicate that print once is in effect. If the answer at 530 is 

temporary or dummy file which simply fills up all empty affirmative, i.e., printing has been enabled but print once has 

disk space. In the case of erasure or purge of a specific not been enabled, the system proceeds to 538. If printing has 

message, the temporary or dummy file may fill the disk not been enabled the message print function is disabled and 

space occupied by that message. 20 tne meS sage print icon and menu are deactivated. Printing is 

The cleanup can be to NSA specifications or to a lower inhibited. This is shown at 540. At 542 the system ascertains 

standard depending upon the procedures programmed into whether archiving has been enabled. If the response is 

the utility associated with the E-Mail application. The NSA negative archiving is disabled and the message archive icon 

specification is preferred despite the fact that the NSA and associated menu are deactivated. Archiving is inhibited, 

erasure method requires additional time. In the network 25 ^ SDOWI1 a t 544. 

described as exemplary of the preferred embodiment, con- . t ' , ... , f . . . 

trol may be exercised over all access and elements, sueh as, According to a preferred embodiment of the invention he 

the servers and all clients. When a message with an erasure ^ 'H* ° f P nntul 8 of *« re messages which is permitted 

flag proceeds through the processing elements of a network » bm f * 10 P rmtin S w | th » such as Do Not 

operated according to one embodiment of the invention, 30 °W- The pnntmg is ato hmited to such pnnting as uses 

each such processing element (such as a server), receives it a format whlcb * DOt sub J ect to orfmar y r ? P'°duction^ This 

and acknowledges receipt and sends it forward until it ^ constitute giay-on-gray printing or printing which uses 

reaches the addressed terminal. According to one optional a combination of background and font colors which will not 

feature of the invention, each forwarding processor, upon easily copy. 

receiving acknowledgement of receipt by the next agent, 35 At 546 the E-Mail message is opened and the text 

may automatically erase and purge the message. Thus the displayed. The opening of the display starts a timer count, 

message may be immediately deleted in each intermediate at 548 this is observed to determine whether the maxi- 

processor. In addition, the receiving addressee processor sets mum display time has been exceeded. This feature is pro- 

the message into the applicable algorithm for complete vided in order t0 msure that a user does DOt brin 8 the 

purging at the next algorithm purging which is established 40 message up and leave it displayed for hours. At the passage 

for a message of that particular security classification. This of the specified display time, the application displays a 

purging may be in addition to any periodic purging which "Display Time Exceeded" message, and processing to close 

may have been established in the system. the message is initiated. These steps are shown at 550 and 

Referring to FIG. 5 the E-Mail message retrieval proce- 552 - ^ messa S e ^P 1 ^ is then closed as if the had 

dine.is-now^described The procedure_starts at 510. At 512 45 Ksucd a close command - 

[the^Es^l*^^ It is possible that the user may enter a command prior to 

mterfacTfc^ automatically the automatic closure of the message and this determination 

! scans all E-MaiT messages to locate any secure messages? is made at 554. Executable commands would be "Close" or 

L which ~are-subject to a" ripe purge~demand bursomehow "Exit." These commands are sensed at 556 and at 558, and 

remain_in^the__clie_nt_computer._Such- messages which^are 50 the system processesJ^he3ej_close_or.exitcommand _ 

[located are thereupon purged and a notification of sucnV , iris^antipipated that the^l ife ^ be 

! purge is sentto *the user as well as to the orij^aio^ o^&nderfr [e}rte^ea>u^^^l^ciBc u^^^^pnffio^xpifation of the/ 

x ofWe*mfcssagef f - — initial message life countdown. One such executable input 

C At 516 the system ascertains whether the user is request- would be if the user indicates that a reply is to be sent, 

ing to open any E-Mail files. The system simply loops until 55 However, even in this situation the duration of the display 

a request is received. At 518 the system retrieves designated will be subject to an extended but not unlimited time period. 

E-Mail messages and inspects the message header flags. At Thus, if the user enters a reply input and commences to enter 

520 this inspection determines whether a secure E-Mail flag the address and text of a reply, the display may continue so 

has been set. Although not specifically illustrated the deter- long as the text entry does not pause for a time exceeding a 

mination that the document is secure initiates a purge routine 60 maximum pause imposed by the application. If the user 

in the particular processor which is reading the header. This timely enters the reply text and enters the send command, 

routine mandates that the disk will be purged of the message this is executed at 558. 

pursuant to the appropriate routine which has been identi- When such a reply is processed, it is a feature of the 

fied. In store and forwarding processors this may be imme- invention that the application does not reproduce or include 

diately subsequent to receipt of an acknowledgement of the 65 the original message in such reply. The replying processor 

forwarding. Purging may also be used at a low traffic time retains the message in its memory subject to the constraints 

as previously described. imposed by the security classification, but does not send a 
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copy of the original message back through the system to the 
originating processor. This minimizes the number of sites 
and number of times that a secure or classified message is 
stored. 

In due time the display is discontinued, either upon 5 
expiration of the maximum display time or pursuant to 
command of the user. At 560 the message read times counter 
is incremented. A determination as to whether or not the 
times read or displayed has exceeded the specified maxi- 
mum is made at 562. If this does occur the message is ™ 
deleted and purged. Notification is sent to the user and the 
sender. These steps are shown at 564. 

The remainder of the steps effect a closing of the E-Mail 
function. Thus at 566 the close message files is entered. 
Optionally, at this time the application may check for the 15 
existence of an unexecuted purge situation. If such a situa- 
tion is found, the purge may be executed at this time prior 
to closing of the E-Mail application. At 568 the deactivated 
functions are re-activated and restored to their default func- 
tions. At 570 the user may enter an exit command. If this 20 
occurs the application scans all E-Mail messages, deletes 
and purges secure messages having erase'dates of or past the ,J 
current date, Imd^tifiesT the' user and sender of such 7 
deletion. jThis is shown aU572. At 574 all program -or / 
application files are closed and control is returned to the 25 
operating system. The process ends at 576. 

If the user does not enter an exit command at 570, the 
application returns to step 516 to permit the user to view and 
process E-Mail messages which have not been classified as 3Q 
secure and which do not invoke the security application 
processing. 

The invention also comprehends as an optional feature 
that, if the user continues the operation of the E-Mail 
application, the application periodically, for example every 35 
hour, will check to ascertain if any security step needs to be 
taken. If such a condition is found to exist the application 
will proceed to process the condition in the various manners 
above described. As a further option, since the E-Mail 
application is running in the server, this periodic check and ^ 
others can be made in the server, regardless of whether or 
not the user has the E-Mail application running. 

Also included as optional procedures according to the 
invention are acknowledgement that the message has been 
received and that the message has been displayed. These 45 
acknowledgments also may be effected by suitable flags in 
the message header. An additional acknowledgment which 
may be flagged in the header is a notification to the sender 
that the message has been printed, i.e., a print receipt, and/or 
that the message has been deleted either manually or auto- 50 
matically. A still additional feature includes a graphic or 
numerical indication of the display time remaining before 
deletion. 

It will be appreciated that multiple delete and purge 
routines have been described. These may be used selectively 55 
or in combination at the option of the network operator. 
Client computers are frequently subject to usage by one or 
a limited number of employees during business hours. On 
the other hand, servers operate to serve the network and may 
be subject to heavy traffic. As a result it may be desirable to 60 
limit time consuming purge routines in servers to a greater 
extent than in client computers. Thus servers may be set to 
perform deletions during heavy traffic hours and to perform 
purges only at the periodic low traffic periods. The particular 
routine is under control of the network operator. 65 

According to another embodiment of the invention the 
receiving system may include resident E-Mail applications 
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which are different but which are verified to be compatible 
with those features required to accommodate the message to 
be sent by the sending system. Thus, prior to transmission of 
a secure message, the sending station would request verifi- 
cation from the intended recipient's E-Mail system that it 
complies with the security features required to handle the 
intended message. Upon receiving verification that the 
receiving system is security compliant, i.e., includes all 
features required to process the intended message, the send- 
ing system then transmits the corresponding E-Mail message 
for receipt by the destination system. If the recipient system 
does not include some or all of the required security features 
so as to properly handle the intended E-Mail message, the 
sending system would be notified and the user given a 
warning and option to send the message without the security 
features which could not be accommodated by the intended 
recipient system. 

While the foregoing has described what are considered to 
be preferred embodiments of the invention, it is understood 
that various modifications may be made therein and that the 
invention may be implemented in various forms and 
embodiments, and that it may be applied in numerous 
applications, only some of which have been described 
herein. It is intended by the following claims to claim all 
such modifications and variations which fall within the true 
scope of the invention. 

What is claimed is: 

1. A method of communicating between processing 
devices comprising the steps of: 

a) creating in a first processing device a header for a data 
message; 

b) populating said header with address data and process- 
ing instruction data; 

c) creating said data message; 

d) storing said data message in a second processing 
device; 

e) displaying said data message; 

f) processing said data message in said second processing 
device responsive to said processing instruction data; 

g) said processing including the step of erasing said data 
message from storage in said second processing device 
in accordance with said processing instruction data. 

2. A method according to claim 1 wherein said erasing 
step comprises over- writing said data message multiple 
times. 

3. A method according to claim 2 wherein successive 
over-writing steps utilize different over-write characters. 

4. A method according to claim 2 wherein said erasing 
step renders said data message irrecoverable. 

5. A method according to claim 2 wherein said erasing 
step is performed according to the erasure specifications of 
the National Security Agency. 

6. A method according to claim 2 including the step of 
disabling printing of said data message by said second 
processing device. 

7. A method according to claim 2 including the step of 
enabling a single printing of one copy of said data message 
by said second processing device. 

8. A method according to claim 2 including the step of 
limiting the time duration of display of said data message in 
accordance with said processing instruction data in said 
header. 

9. A method according to claim 2 including the step of 
disabling copying of said data message in said second 
processing device. 

10. A method according to claim 2 including the step of 
disabling forwarding of said data message in said second 
processing device. 
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11. A method according to claim 2 including the step of 26. A product according to claim 25 wherein said erasing 
designating said data message with a security parameter. step comprises over-writing said data message multiple 

12. A method according to claim 11 including the step of times. 

periodically erasing data messages stored in said second 27. A product according to claim 26 wherein successive 

processing device. 5 over-writing steps utilize different over-write characters. 

13. A method according to claim 2 including the step of 28. A product according to claim 26 wherein said erasing 
disabling archiving of said data message by said second step renders said data message irrecoverable, 
processing device. 29. In a communication network having connected thereto 

14. A method according to claim 2 wherein successive at least one server and a plurality of client computers a 
over-writing steps utilize different over-write characters, and no method of communicating between said client computers 
wherein said erasing step renders said data message irre- comprising the steps of: 

coverable. a) creating in a first client computer a header for a data 

15. A method according to claim 14 including the step of message; 

disabling printing of said data message by said second b ) populating sa id header with address data and process- 
processing device. 15 mg instruction data; 

16 A method according to claim 14 including the step of c) cfeatm ^ ^ m 

enabling a single printing of one copy of said data message ' . . . . < 

by said second processing device. d > storm S Mld data messa S e in a second chent com P*er; 

17. A method according to claim 14 including the step of e ) displaying said data message; 

limiting the time duration of display of said data message in 20 0 processing said data message in said second client 

accordance with said processing instruction data in said computer responsive to said processing instruction 

header. data ^ 

18. A method according to claim 14 including the step of g) said processing including the step of erasing said data 
disabling copying of said data message in said second message from storage in said second client computer in 
processing device. 25 accordance with said processing instruction data. 

19. A method according to claim 14 including the step of 30. A method according to claim 29 wherein said erasing 
disabling forwarding of said data message in said second step comprises over-writing said data message multiple 
processing device. times. 

20. A method according to claim 14 including the step of 31. A method according to claim 30 wherein successive 
disabling archiving of said data message by said second 30 over-writing steps utilize different over-write characters, 
processing device. 32. A method according to claim 30 wherein said erasing 

21. A method according to claim 2 wherein successive step renders said data message irrecoverable, 
over-writing steps utilize different over-write characters, and 33. A method according to claim 29 including the step of 
wherein said erasing step renders said data message storing said data message in said server prior to storing said 
irrecoverable, and including the steps of disabling printing 35 data message in said second client computer. 

of said data message by said second processing device, and 34. A method according to claim 33 including the step of 

limiting the time duration of display of said data message in erasing said data message from storage in said server 

accordance with said processing instruction data in said substantially immediately after storing said data message in 

header. said second client computer. 

22. A method according to claim 21 including the steps of 40 35. A method according to claim 29 including the step of 
disabling copying of said data message in said second disabling printing of said data message by said second client 
processing device. computer. 

23. A method according to claim 22 including the step of 36. A method according to claim 29 including the step of 
disabling forwarding of said data message in said second enabling a single printing of one copy of said data message 
processing device. 45 by said second client computer. 

24. A method according to claim 23 including the step of 37. A method according to claim 29 including the step of 
disabling archiving of said data message by said second limiting the time duration of display of said data message in 
processing device. accordance with said processing instruction data in said 

25. A product bearing a sequence of computer executable header. 

instructions, said sequence of computer executable 50 38. A method according to claim 29 including the step of 

instructions, when executed in a pair of computers, com- disabling copying of said data message in said second client 

prising instructions for performing the steps of: computer. 

a) creating in a first of said computers a header for a data 39 - A method according to claim 29 including the step of 
message; disabling forwarding of said data message in said second 

b) populating said header with address data and process- 55 c] ™* ^puter- 

mg instruction data; 40 melhod accordl °g 10 claim 29 including the step of 

x . . , , designating said data message with a security parameter. 

c) creating said data message; 41 A melhod according t0 claim 40 mcluding the step of 

d) storing said data message in a second of said comput- periodically erasing data messages stored in said second 
ers; 60 client computer. 

e) displaying said data message; 42. A method according to claim 29 including the step of 

f) processing said data message in said second of said disabling archiving of said data message by said second 
computers responsive to said processing instruction client computer. 

data; 43. A method of communicating between processing 

g) said processing including the step of erasing said data 65 devices comprising the steps of: 

message from storage in said second computer in a) creating in an originating processing device a header 

accordance with said processing instruction data. for a data message; 
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b) populating said header with address data and process- 
ing instruction data; 

c) creating said data message; 

d) storing said data message in at least one intermediate 
processing device; 

e) storing said data message in an addressee processing 
device; 

f) displaying said data message; 

g) processing said data message in said addressee pro- 
cessing device responsive to said processing instruction 
data; 

h) said processing including the step of erasing said data 
message from storage in said originating processing 
device in accordance with said processing instruction 
data; 

i) processing said data message in said at least one 
intermediate processing device responsive to said pro- 
cessing instruction data; 

j) said processing in said at least one intermediate pro- 
cessing device including the step of erasing said data 
message from storage in said intermediate processing 
device in accordance with said processing instruction 
data. 

44. A method according to claim 43 including the steps of 
transmitting a copy of said message from said intermediate 
processing device to said addressee processing device, and 
erasing said message from said intermediate processing 
device upon transmitting said copy of said message to said 
addressee processing device. 

45. A method according to claim 44 wherein said erasure 
of said message in said intermediate processing device 
occurs substantially immediately after transmitting said 
message to said addressee processing device. 

46. A method according to claim 44 wherein said erasure 
of said message in said intermediate processing device 
occurs a predetermined time after transmitting said message 
to said addressee processing device. 

47. A method according to claim 44 wherein said erasure 
of said message in said intermediate processing device 
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occurs substantially immediately after transmitting said 
message to said addressee processing device and comprises 
over-writing said data message by address multiple times. 

48. A method according to claim 44 wherein said erasing 
step comprises over-writing said data message multiple 
times. 

49. A method according to claim 48 wherein successive 
over-writing steps utilize different over-write characters. 

50. A method according to claim 44 wherein said erasing 
step renders said data message irrecoverable. 

51. A method according to claim 44 wherein said erasing 
of said message from said intermediate processing device 
occurs pursuant to a periodic erasure. 

52. A method according to claim 44 wherein said erasing 
of said message from said intermediate device comprises 
deleting said message and subsequently erasing said mes- 
sage in a manner that renders such message irretrievable. 

53. A method according to claim 52 wherein said erasing 
of said message in a manner that renders such message 
irretrievable occurs pursuant to a periodic erasure. 

54. A method of communicating between processing 
devices comprising the steps of: 

a) creating in a first processing device a header for a data 
message; 

b) populating said header with address data and process- 
ing instruction data; 

c) creating said data message; 

d) storing said data message in a second processing 
device; 

e) displaying said data message; 

f) processing said data message in said second processing 
device responsive to said processing instruction data; 

g) said processing including the step of erasing said data 
message from storage in said second processing device 
in accordance with said processing instruction data, 
said erasure occurring substantially immediately prior 
to shut down of said second processing device. 
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